tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/hal_cas.te

36 lines
1.1 KiB
Text
Raw Normal View History

Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# HwBinder IPC from client to server, and callbacks
binder_call(hal_cas_client, hal_cas_server)
binder_call(hal_cas_server, hal_cas_client)
add_hwservice(hal_cas_server, hal_cas_hwservice)
allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
# Permit reading device's serial number from system properties
Revert "Fix CTS regressions" This reverts commit ed876a5e969ce89d9887cc19a97aadbaf5118e4a. Fixes user builds. libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; libsepol.check_assertions: 1 neverallow failures occurred Error while expanding policy Bug: 69566734 Test: build taimen-user Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
2017-11-21 21:25:37 +01:00
get_prop(hal_cas, serialno_prop)
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# Read files already opened under /data
allow hal_cas system_data_file:file { getattr read };
# Read access to pseudo filesystems
r_dir_file(hal_cas, cgroup)
allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file w_file_perms;
# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file rw_file_perms;
allow hal_cas hal_graphics_allocator:fd use;
allow hal_cas tee_device:chr_file rw_file_perms;
###
### neverallow rules
###
# hal_cas should never execute any executable without a
# domain transition
Revert "Fix CTS regressions" This reverts commit ed876a5e969ce89d9887cc19a97aadbaf5118e4a. Fixes user builds. libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; libsepol.check_assertions: 1 neverallow failures occurred Error while expanding policy Bug: 69566734 Test: build taimen-user Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
2017-11-21 21:25:37 +01:00
neverallow hal_cas { file_type fs_type }:file execute_no_trans;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# do not allow privileged socket ioctl commands
Revert "Fix CTS regressions" This reverts commit ed876a5e969ce89d9887cc19a97aadbaf5118e4a. Fixes user builds. libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; libsepol.check_assertions: 1 neverallow failures occurred Error while expanding policy Bug: 69566734 Test: build taimen-user Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
2017-11-21 21:25:37 +01:00
neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
Reference in a new issue Copy permalink